The data breach aggregator and lookup service LeakedSource has gone offline following what appears to have been a police raid.

On 27 January, someone announced on an online forum post that police had raided the website’s owner and shut down many of its networking resources.

The forum post is inaccessible to most members of the public. However, an excerpt from the post is available on Pastebin. It reads as follows:

“Yeah you heard it here first. Sorry for all you kids who don’t have all your own Databases. Leakedsource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and Leakedsource servers got subpoena’d and placed under federal investigation. If somehow he recovers from this and launches LS again, then I’ll be wrong. But I am not wrong.”

There’s been no official word from anyone associated with LeakedSource so far.

While in operation, the service maintained an ethical justification for what it did on rocky ground.

On the one hand, there were many users who employed LeakedSource to receive notifications of data breaches, verify if their credentials had been exposed, and change their usernames/passwords if they found their information leaked online.

At the same time, security researchers referred to the service to stay on top of the latest security events.

It’s doubtful we would have heard of the breaches at VerticalScope, Weebly, and others when we did, for example, had it not been for this website.

The leaked records also helped provide insight into what passwords users were choosing for their accounts, at times terrifying insight which no doubt inspired security awareness training at dozens and dozens of organizations.

But there was a dark side. Call it an “unintended but expected” consequence.

Namely, anyone who paid for a LeakedSource subscription could use the service to access billions of other people’s login credentials. That of course means bad actors could have abused their subscription to look up people’s details and try to authenticate them across various web services.

Perhaps law enforcement grew tired of these murky ethics and decided to take action. That’s assuming a raid even occurred at all.

Love or hate it, the security community will feel the absence of LeakedSource.

There’s a chance the site could resurface. But if it does, there’s no guarantee it will take on the same role as its progenitor by cracking password hashes and releasing password data. That could be a good thing. Though at this point, it’s just too early to tell.

2 Responses

’ ”Unintended but expected” consequence’? Come on. David! They knew full well what they were doing. The owners even promoted themselves on hacker forums and decrypted hashed passwords, for goodness sake!! This was nothing but a repugnant site whose ‘business model’ was one of making money from selling access to billions of innocent people’s stolen data to people who aimed to use this data for nefarious ends. Anyone in the media who used or quoted this site in their reporting was guilty of turning a blind eye to something that just 2 minutes’ thought or investigation into their practices would have made clear. Good riddance.